How I made $64k from deleted files – a bug bounty story
a year ago
- #github
- #security
- #bug-bounty
- Sharon Brizinov built an automation tool to scan GitHub repositories for leaked secrets by restoring deleted files and analyzing Git internals.
- The process involved collecting targets from public bug bounty programs, cloning repositories, and using tools like TruffleHog to find active secrets.
- Key findings included production tokens from GCP, AWS, Slack, and GitHub, with bounties ranging from $300 to $15,000.
- Common reasons for leaks included lack of Git knowledge, accidental commits of binary files, and ineffective use of history-rewriting tools.
- The project resulted in $64,350 in bug bounty rewards and improved security for affected companies.